New NSA Slides Reveal Tailored Access Run Amok

The NSA has seen the future of mass surveillance, and it appears they believe that the future lies in malware. Earlier this week, The Intercept reported on a series of slides and memos leaked by Edward Snowden describing the NSA's "more aggressive" approach to signals intelligence, which circumvents encryption such as web browsing via HTTPS and email using PGP, by installing spyware directly onto targets' computers. The NSA's Tailored Access Operations Unit, which develops and deploys malware tools, has been described in a Der Spiegel report as "a squad of plumbers that can be called in when normal access to a target is blocked", implying that they are a last resort for use when other methods of surveillance fail, but new slides reveal the explosive growth of TAO's data collection via malware "implants" and plans to scale the number of infected computers from the tens of thousands potentially into the millions using a system called TURBINE.

According to the leaked documents, TURBINE enables "exploitation on an industrial scale," by automating onerous tasks such as the collection of surveillance data from infected systems. Furthermore, evidence suggesting that NSA exploits Internet chokepoints for man-in-the-middle attacks and develops software to manage millions of "Computer Network Attack" implants at once demonstrates that their intent is to compromise computer security on a massive scale, rather than a tailored approach. With the help of TURBINE, the NSA's spyware network has grown from a few hundred implants in 2004, to somewhere between 85,000 and 100,000 implants around the world. Even if you believe that there may be a few hundred key systems with information vital to national security that the NSA cannot reach in any other way—even if you believe there are up to 100,000 such systems—pushing that number up into the millions stretches credulity to the breaking point. It appears that TURBINE is neither necessary for nor proportionate to the government's aims and that the NSA intends to recapitulate their mass surveillance program by installing spyware on every computer they can get their hands on.

Not only are implants a gross privacy violation, industrial scale exploitation makes everyone on the Internet less safe. As security researcher Matt Blaze points out in The Intercept's report, "How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?"

Even Mark Zuckerberg is concerned, to the extent of calling President Obama on the phone to complain. Zuckerberg is right to be angry at NSA for undermining the security that users expect from his company: according to The Intercept, NSA has set up fake Facebook servers and uses Facebook's cookies and other identifying data to associate a target's identity with the target's active device for malware delivery. "When our engineers work tirelessly to improve security," writes Zuckerberg, "we imagine we're protecting you against criminals, not our own government." In this context, the distinction between governments and criminals has become meaningless: an attacker is an attacker, and every website that wants to protect the privacy and security of its users ought to take note.

Slides reveal that a man-in-the-middle capability called SECONDDATE quietly redirects web browsers from the site they think they're visiting to NSA malware servers called FOXACID. The Intercept reports that "SECONDDATE is tailored not only for 'surgical' surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers."

EFF has the following recommendations for website operators who wish to protect their users from this kind of man-in-the-middle attack:

Deploy HTTPS by default and set the HTTP Strict Transport Security Header to reduce the risk of a man-in-the-middle or man-on-the-side attack. Users can also download HTTPS Everywhere to force HTTPS connections on thousands of sites that don't yet support it by default.

Set the "secure" flag on all HTTP cookies to prevent them from being sent in plaintext, since we know that unique cookie strings are used as selectors for TURBINE. HTTPS Everywhere can also set this automatically on the user side if a server fails to do so.

If possible, support Certificate Transparency for your SSL certificates so that man-in-the-middle attacks using fake certificates for your domain can be publicly logged. (Google has announced plans to enforce Certificate Transparency for all Extended Validation certificates sometime in the near future.)

Use Public Key Pinning to ensure that users only accept SSL certificate chains that you've approved. In the absence of pinning, any Certificate Authority can issue a malicious certificate for your domain that will be trusted by browsers; in fact, we've seen circumstantial evidence of governments ordering CAs to do so. Unfortunately, the HTTP Public Key Pinning specification is young and has only been implemented in Chrome 18+ at this time, with Mozilla actively working on it for Firefox as well.

NSA has issued a confusedpress statement that dodged the issues and denied claims never made in The Intercept's article, adding that it keeps its "foreign intelligence operations . . . as tailored as possible" and that it never targets "any user of global Internet services without appropriate legal authority." EFF is skeptical, and users and website operators should be as well.

Related Updates

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is...

EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation. The CLOUD Act (S. 2383 and H.R. 4943) is a dangerous bill that would tear away global privacy...

People in marginalized communities who are targets of persecution and violence—from the Rohingya in Burma to Native Americans in North Dakota—are using social media to tell their stories, but finding that their voices are being silenced online. This is the tragic and unjust consequence of content moderation policies...

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on...

Although we have been opposing Europe's misguided link tax and upload filtering proposals ever since they first surfaced in 2016, the proposals haven't been standing still during all that time. In the back and forth between a multiplicity of different Committees of the European Parliament, and two other institutions...

This week, Senators Hatch, Graham, Coons, and Whitehouse introduced a bill that diminishes the data privacy of people around the world.
The Clarifying Overseas Use of Data (CLOUD) Act expands American and foreign law enforcement’s ability to target and access people’s data across international borders in two ways. First...

EFF fights for technology users. We believe that empowering and protecting users should be baked into laws, policies, and court decisions, as well as into the technologies themselves. Since our founding in 1990, we have paired this goal with the common-sense recognition that in order to properly consider these questions...

Last week EFF attended the Global Conference on Cyberspace (GCCS) in New Delhi, India, as one of a small handful of nonprofit organizations invited to participate. This was the fifth in a series of conferences sometimes called the London Process, after the first event that was held in London...

Last week the European Parliament passed a new Consumer Protection Regulation [PDF] that allows national consumer authorities to order ISPs, web hosts and domain registries to block or delete websites... all without a court order. The websites targeted are those that allegedly infringe European consumer law. But European consumer...

The global movement for open access to publicly-funded research stems from the sensible proposition that if the government has used taxpayers' money to fund research, the publication of the results of that research should be freely-licensed. Exactly the same rationale underpins the argument that software code that the government...